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(57) A method and device for routing data packets 
(110) of a wireless terminal device in a communication 
network. When Open system Authentication is used 
(1 03) the system operates similarly as the current Nokia 
Operator Wireless LAN system, in which the terminal 
device and the access controller are the parties involved 
in the authentication (105). The accesss controller re- 
lays information relating to the authentication between 
the terminal device and an authenticating server, and it 
is capable of updating independently the list of users it 
maintains. When authentication according IEEE 802.1 X 
authentication (1 02), the access point operates accord- 
ing to the IEEE 802.1 X standard (108), serving as the 
authenticating party and relaying information relating to 
the authentication between the terminal device and the 
authentication server. In addition, the list maintained by 
the access controller is updated (1 07) after a successful 
authentication, for example by the access point or the 
authenticating server. 
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Description 

[0001] The present invention relates to a method and 
apparatus for access control of a wireless terminal de- 
vice to a communications network and particularly, al- 
though not necessarily, for relaying data packets of a 
wireless terminal device having controlled access to a 
wireless local area network. 

PRIOR ART 

[0002] A wireless local area network typically com- 
prises a network comprising terminal devices, such as 
wireless terminal devices or portable computers and ac- 
cess points, wherein data transmission between the ter- 
minal devices and the access points is carried out partly 
or entirely in a wireless manner using radio waves or 
infrared technology. 

[0003] The structure of telecommunications networks 
is generally described using the OSI model (Open Sys- 
tem Interconnection), which defines the interfaces 
through which the different devices and the related soft- 
ware communicate with each other. The OSI model is 
based on a concept of layers, the lowest, or first, layer 
being known as a Physical Layer encompassing all log- 
ical, electrical and mechanical issues relating to data 
transfer. The second protocol layer, i.e. the Data Link 
Layer, is responsible for connection set-up, error correc- 
tion and connection release. The third protocol layer, i. 
e. the Network Layer, provides data transfer not depend- 
ent on the network structure. The subsequent layers are 
the Transport Layer (fourth layer), Session Layer (fifth 
layer), Presentation Layer (sixth layer), and Application 
Layer (seventh layer). 

[0004] In the OWLAN (Operator Wireless Local Area 
Network) system, authentication and access control 
currently take place on the third layer of the OSI model, 
i.e. the network layer, or IP layer, and WLAN-association 
between the terminal device and the Access Point is car- 
ried out without authentication. An access point is a 
physical device, such as a base station, interconnecting 
a wireless network and a wired one. In Open System 
Authentication the association event does not involve 
actual authentication, but the open system authentica- 
tion, performed before association, is null authentica- 
tion. Afterthe association, theterminal device is typically 
provided with an IP address afterthe association event 
by means of an IP-based DHCP (Dynamic Host Config- 
uration Protocol) method. Authentication is then carried 
out by executing an IP-based authentication protocol. 
Although the authentication protocol also employs pro- 
tocol layers above the IP layer, the authentication is in 
this case referred to as authentication of the third pro- 
tocol layer because access control is typically imple- 
mented on the third protocol layer. The Operator Wire- 
less LAN solution includes the Network Access Authen- 
tication Protocol (NAAP), which is a protocol of the third 
protocol layerto authenticate the wireless terminal using 



the GSM Subscriber Identity Module. Another example 
of a third protocol layer authentication protocol are so- 
lutions based on the Hypertext Transfer Protocol (HT- 
TP), where the authentication is performed using a 

5 World Wide Web (WWW) page in which the user fills in 
the credentials. Yet another example of a third protocol 
layer authentication protocol is the Internet Key Ex- 
change (IKE) Protocol, which is used when setting up a 
Virtual Private Network connection. In all these exam- 

10 pies, the wireless terminal needs to perform the third 
protocol layer authentication protocol before it can ac- 
cess the resources for which access control is being en- 
forced. 

[0005] Standardization provides a framework for 
15 hardware and software manufacturers to enable prod- 
ucts of different manufacturers to be used side by side. 
The title of the WLAN standard is IEEE 802.11 and it 
has gradually been supplemented by a number of sub- 
standards. According to the forthcoming IEEE 802.1 1 i 
20 standard, WLAN authentication will be carried out ac- 
cording to a second protocol layer authentication meth- 
od, such as an IEEE802.1x protocol beforetransmission 
of IP packets between the terminal device and the net- 
work. 

25 [0006] The first router in the OWLAN system, i.e. the 
edge router, which is between the communications net- 
work and the wireless terminals connected to the wire- 
less local area network, functions in the OWLAN as the 
other party in the authentication carried out according 
30 to the third protocol layer, i.e. open system authentica- 
tion and it maintains an Access Control List (ACL) of au- 
thenticated terminal devices. The IEEE is standardizing 
a new WLAN authentication system where authentica- 
tion is performed against the Access Point. If the access 
35 network deploys only the new WLAN authentication sys- 
tem then the present OWLAN system, such as Nokia 
Operator Wireless LAN Release 1 .0 solution cannot be 
used, because the client is not allowed to run the au- 
thentication protocol of the third protocol layer without 
40 first authenticating according to IEEE 802. 1x protocol. 
As some users will acquire new terminal devices while 
others will have old terminal devices, there will be "old" 
terminals that can access to the network by using the 
third protocol layer authentication method and further 
45 there will be "new" terminals that can access to the net- 
work by using the authentication method according to 
IEEE 802.1 x standard. Also there will be networks com- 
prising access points that operate only according to 
IEEE 802.1 x standard and other access points that op- 
50 erate as part of an OWLAN system. A problem that will 
be faced with in the standardization of current systems 
is the incompatibility of the present open system and the 
future second protocol layer authentication systems, i. 
e. the present terminals cannot access to networks ac- 
55 cording to the IEEE 802.1 x standard and the future ter- 
minals according to the IEEE802.1x standard cannot 
access to the present open system networks. 
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SUMMARY OF THE INVENTION 

[0007] A method and apparatus has now been invent- 
ed for allowing a wireless terminal to access to a network 
by using eitherathird protocol layer authentication, such 
as open system authentication or second protocol layer 
authentication, such as according to the IEEE 802. 1x 
protocol. An Access Point of the invention enables both 
Open System Authentication, in which the terminal de- 
vice is authenticated at a later stage according to the 
third protocol layer, and authentication of the second 
protocol layer, such as IEEE 802.1 x authentication. By 
using the invention certain network elements of the 
Wireless LAN solution can support both the new IEEE 
802.1 x layer 2 authentication standard and the current 
layer 3 authentication in a backward compatible way. 
[0008] In the current Nokia Operator Wireless LAN 
solution, the access controller is responsible for main- 
taining an access control list and for performing a third 
protocol layer authentication protocol. In the present in- 
vention, these functionalities are separated into a logical 
access controller functionality and an authentication 
agent functionality for performing a third protocol layer 
authentication protocol. The network is organised so 
that at least part of the packets of terminal devices 
traverse the network element that contains the logical 
access controllerfunctionality. The authentication agent 
functionality refers to the third protocol layer authentica- 
tion protocol implementation, such as the NAAP proto- 
col, the HTTP (Hypertext Transfer Protocol) authentica- 
tion protocol or Internet Key Exhange (IKE) protocol im- 
plementation. The access controller functionality and 
the authentication agent functionality are not necessar- 
ily implemented in the same physical network element, 
but it is possibleto implementthe access controllerfunc- 
tionality in the access point device or some other device 
instead. 

[0009] If third protocol layer authentication is used, 
then the authentication agent operates as the authenti- 
cator entity performing the third protocol layer authenti- 
cation protocol, as in the current Nokia Operator Wire- 
less LAN solution. A successful authentication results 
in the terminal being added to an access control list. If 
the access controller functionality resides in a device 
separate from the authentication agent, then the au- 
thentication agent sends the terminal's information to 
the network element containing the access controller 
functionality. An authenticator is an entity that facilitates 
the network access authentication of the terminal device 
by operating as the peer entity in the authentication pro- 
tocol used between the terminal and the authenticator. 
An authentication server is an entity that provides an au- 
thentication service to an authenticator. This service de- 
termines, from the credentials provided by the suppli- 
cant i.e. the terminal device, whether the supplicant is 
authorized to access the services provided by the au- 
thenticator. If second protocol layer authentication is 
performed, then the Access Point will first operate as 



specified in the IEEE standards and operate as the Au- 
thenticator entity. In addition, after successful authenti- 
cation, the Access Point updates the access control list 
so that the packets of the clients authenticated at the 

5 second protocol layer are relayed too. If the access con- 
trollerfunctionality resides in a device separate from the 
access point, then the access point sends the terminal's 
information to the network element containing the ac- 
cess controller functionality. 

10 [0010] The invention provides a solution that allows a 
wireless local area network system, such as the Nokia 
Operator Wireless LAN, to support both an authentica- 
tion standard of the second protocol layer, i.e. Layer 2, 
such as an authentication standard according to the 

15 IEEE 802.1 x, and the current authentication standard 
based on the third protocol layer, i.e. Layer 3. 
[0011] When Open System Authentication is used, 
the system operates similarly as the current Nokia Op- 
erator Wireless LAN system, in which the terminal de- 

20 vice and the authentication agent are the parties in- 
volved in the authentication. The authentication agent 
relays information relating to the authentication between 
the terminal device and an authenticating server, and it 
is capable of updating the list of authenticated users, 

25 regardless of which network element maintains the list. 
[0012] When authentication according to the second 
protocol layer is to be carried out, such as IEEE 802.1 x 
authentication, the access point operates according to 
the IEEE 802.1 x standard, serving as the authenticating 

30 party and relaying information relating to the authenti- 
cation between the terminal device and the authentica- 
tion server. In addition, the access control list is updated 
after a successful authentication, for example by the ac- 
cess point or the authenticating server, to allow the net- 

35 work element that contains the access controller func- 
tionality to also relay packets of terminals authenticated 
according to the second protocol layer. 
[0013] As regards terminals employing the second 
protocol layer authentication, in the implementation ac- 

40 cording to the invention the interface provided between 
the terminal and the network is in full accordance with 
the standard. The invention does not set any new re- 
quirements on terminals employing the third protocol 
layer authentication either. 

45 [0014] The advantages of the invention include com- 
patibility with the current open system, where authenti- 
cation is carried out on the third protocol layer, and with 
a system where authentication is carried out on the sec- 
ond protocol layer, for example according to the IEEE 

50 802.1 x standard. Regardless of the authentication 
method, the network element that contains the access 
controller functionality is capable of carrying out the 
bookkeeping and accounting routines relating to the 
transfer of data packets. Further the devices according 

55 to the new standard are able to operate in a network 
according to the present open system standard. 
[0015] According to a first aspect of the invention a 
method is provided for access control of a wireless ter- 
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minal device in a communication network, the network 
comprising an access point for setting up a communi- 
cation connection to the terminal device, an authentica- 
tion agent for relaying authentication information be- 
tween the terminal device and an authentication server, 
a logical access controller functionality for relaying data 
packets of the authenticated terminal device and block- 
ing data packets of unauthenticated terminal devices, 
the logical access controller functionality further com- 
prising a list of authenticated terminal devices, an au- 
thenticating server for providing an authenticating serv- 
ice forthe terminal device to authenticate to the network, 
the terminal device being configured to use one of the 
following authentication methods in order to authenti- 
cate itself to the network: a first authentication method 
wherein the access point relays authentication informa- 
tion between the terminal device and the authentication 
server, a second authentication method wherein the au- 
thentication agent relays authentication information be- 
tween the terminal device and the authentication server, 
characterized by the method comprising the steps of 
identifying at the access point whether the terminal is 
using the first or the second authentication method, 
whereby if the terminal authenticates by using the first 
authentication method, performing the steps of: the ac- 
cess point relaying authentication information between 
the terminal device and the authentication server, the 
access point sending the identifier data of the terminal 
device, in response to successful authentication, to the 
list of the access controllerfunctionality, the access con- 
troller functionality adding the identifier data of the au- 
thenticated terminal device to the list and relaying data 
packets of the terminal device included on the list, and 
if the terminal device authenticates by using the second 
authentication method, performing the steps of: the ac- 
cess point relaying information between the terminal de- 
vice and the authenticating agent, the authentication 
agent relaying authentication information between the 
terminal device and the authentication server, the au- 
thentication agent sending identifier data of the terminal 
device, in response to successful authentication, to the 
list of the access controllerfunctionality and the access 
controller functionality adding the identifier data of the 
authenticated terminal device to the list and relaying da- 
ta packets of the terminal device included on the list. 
[0016] According to a second aspect of the invention 
an access point is provided for setting up a communi- 
cation connection to a terminal device in a network, said 
network further comprising an authentication agent for 
relaying authentication information between the access 
point and an authentication server, a logical access con- 
troller functionality for relaying data packets of the au- 
thenticated terminals included on a list and blocking da- 
ta packets of unauthenticated terminals, an authenticat- 
ing server for providing an authenticating service forthe 
terminal device to authenticate to the network, the ter- 
minal device being configured to use one of thefollowing 
authentication methods in order to authenticate itself to 



the network: a first authentication method wherein the 
access point is configured to relay authentication infor- 
mation between the terminal device and the authentica- 
tion server, a second authentication method wherein the 

5 access point is configured to relay authentication infor- 
mation between the terminal device and an authentica- 
tion agent, characterized in that the access point further 
comprises identifying means for identifying whether the 
terminal device is using the first or the second authen- 

10 tication method, first relaying means for relaying authen- 
tication information between the terminal device and the 
authentication server on the basis of the identified first 
authentication method, sending means for sending 
identifier data of the terminal device, in response to suc- 

15 cessful authentication of the first authentication method, 
to the list of the access controller functionality, second 
relaying means for relaying authentication information 
between the terminal device and the authentication 
agent and sending means for sending identifier data of 

20 the terminal device, in response to successful authenti- 
cation of the second authentication method, to the list 
of the access controller functionality. 
[0017] According to a third aspect of the invention a 
system is provided for relaying data packets of a wire- 

25 less terminal device in a communication network, the 
network comprising: an access point for setting up a 
communication connection to the terminal device in a 
network, said network further comprising an authentica- 
tion agent for relaying authentication information be- 
so tween the terminal device and an authentication server, 
a logical access controllerfunctionality for relaying data 
packets of the authenticated terminal device and for 
blocking data packets of unauthenticated terminal de- 
vices, the access controller further comprising a list of 

35 authenticated terminal devices and relaying means for 
relaying data packets of the terminal devices included 
on the list, an authenticating server for providing an au- 
thenticating service for the terminal device to authenti- 
cate to the network, the terminal device being config- 

40 ured to use one of the following authentication methods 
in order to authenticate itself to the network: a first au- 
thentication method wherein the access point relays au- 
thentication information between the terminal device 
and the authentication server, a second authentication 

45 method wherein the access controller relays authenti- 
cation information between the terminal device and the 
authentication server, characterized in that the system 
comprises identifying means for identifying at the ac- 
cess point whether the terminal device is using the first 

50 or the second authentication method, first relaying 
means for relaying at the access point the authentication 
information of the first authentication method between 
the terminal device and the authentication server, sec- 
ond relaying means for relaying information between the 

55 terminal device and the authentication agent, third re- 
laying means at the authentication agentfor relaying au- 
thentication information of the second authentication 
method between the access point and the authentica- 



4 



7 



EP 1 330 073 A1 



8 



tion server, sending means for sending from the access 
point identifier data of the terminal device, in response 
to successful authentication of the first authentication 
method, to the list of the access controller functionality, 
sending means for sending from the authentication 
agent the identifier data of the terminal, in response to 
successful authentication of the second authentication 
method, to the list of the access controller functionality 
and relaying means for relaying data packets of the ter- 
minal device included on the list. 
[001 8] According to a fourth aspect of the invention a 
method is provided for relaying data packets of a wire- 
less terminal device in a communication network, the 
network comprising; an access point for setting up a 
communication connection to the terminal device, an 
access controllerfor relaying authentication information 
between the terminal device and an authentication serv- 
er, an authentication serverfor providing an authenticat- 
ing service for the terminal device to authenticate to the 
network, the terminal device being configured to use 
one of the following authentication methods in order to 
authenticate itself to the network: a first authentication 
method wherein the access point relays authentication 
information between the terminal device and the au- 
thentication server, a second authentication method 
wherein the access controller relays authentication in- 
formation between the terminal device and the authen- 
tication server, the method comprising; establishing a 
communication connection between the terminal device 
and the access point, characterized by the method fur- 
ther comprising the steps of identifying at the access 
point a parameter relating to the step of establishing a 
communication connection, classifying the terminal de- 
vice on the basis of the identified parameter and direct- 
ing data packets of terminal devices of different classes 
to separate logical channels on the basis of the classi- 
fying. 

[0019] According to a fifth aspect of the invention an 
access point is provided for setting up a communication 
connection to the terminal device in a network, said net- 
work comprising: an access controller for relaying au- 
thentication information between the terminal device 
and an authentication server, an authentication server 
for providing an authenticating service for the terminal 
device to authenticate to the network, the terminal de- 
vice being configured to use one of the following authen- 
tication methods in order to authenticate itself to the net- 
work: a first authentication method wherein the access 
point relays authentication information between the ter- 
minal and the authentication server, a second authenti- 
cation method wherein the access point is configured to 
relay authentication information between the terminal 
device and the access controller, said access point com- 
prising establishing means for establishing a communi- 
cation connection between the terminal device and the 
access point, characterized in that the access point fur- 
ther comprises identifying means for identifying a pa- 
rameter relating to the establishment of the communi- 



cation connection, classifying means for classifying the 
terminal device on the basis of the identified parameter 
and directing means for directing data packets of termi- 
nal devices of different classes to separate logical chan- 
5 nels on the basis of the classifying. 

[0020] In the following, the invention will be described 
in greater detail with reference to the accompanying 
drawings, in which 

10 Figure 1 is a flow diagram illustrating a method ac- 
cording to an embodiment of the invention; 
Figure 2 shows a device according to an embodi- 
ment of the invention; 

Figure 3 shows the present Nokia Operator WLAN 
15 system; 

Figure 4 shows a system according to the IEEE 
802.1 x protocol; 

Figure 5 shows a system according to an embodi- 
ment of the invention 

20 Figure 6 shows a flow diagram of a method accord- 
ing to an alternative embodiment of the invention; 
Figure 7 shows an access point according to an al- 
ternative embodiment of the invention; and 
Figure 8 shows a system according to an alternative 

25 embodiment of the invention. 

[0021 ] Figure 1 shows a flow diagram of a method ac- 
cording to an embodiment of the invention. In step 1 01 
an access point, and a terminal device, such as a wire- 

30 less communications device, set up a connection and 
associate with each other. On the initiative of the access 
point, the routine then checks whether authentication 
according to the second protocol layer (step 102) or 
open system authentication according to the third pro- 

35 tocol layer (step 103) is concerned. This check is per- 
formed at the access point based on authentication and 
association messages as will be explained in following. 
In a WLAN system according to the IEEE 802.11 stand- 
ard, if the terminal is using open system authentication, 

40 it first sends the access point an authentication request 
message indicating open system authentication. The 
access point replies with an authentication response 
message. The exchange of these initial authentication 
messages does not actually authenticate the terminal 

45 but their function is null; hence the name open system 
authentication. Such open system authentication is also 
possible in WLAN systems according to IEEE 802.1 1 i 
standard. In a WLAN system according to the IEEE 
802.11 i standard, if the terminal is using the 802. 1x au- 

50 thentication method, there are no initial authentication 
request and response messages but the terminal first 
associates with the access point by sending an associ- 
ation request to the access point. The request compris- 
es a request to authenticate by using the authentication 

55 method according to the IEEE 802.1 x standard. Hence, 
the access point identifies the authentication method the 
terminal device is using based on the authentication and 
association messages. If the terminal employs the Open 
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system Authentication method, the terminal receives an 
IP address from a DHCP server, for example, which may 
be located at the access point, authentication agent, or 
elsewhere in the network (104), after which an IP-based 
authentication protocol according to the third protocol 
layer is executed (105). An IP-layer authentication is 
carried out between a terminal device and an authenti- 
cation agent. After a successful IP-layer authentication, 
the authenticated terminal is updated to an access con- 
trol list maintained in the network element that includes 
the access controller functionality (step 106 and 107). 
This allows the access controller to relay data packets 
of the terminal device. If the access controller function- 
ality resides in the authentication agent, then the au- 
thentication agent is capable of independently updating 
the access control list by internally sending the termi- 
nal's identifier data to the access controllerfunctionality. 
If the access controllerfunctionality resides in some oth- 
er network element than the authentication agent, then 
the authentication agent may update the access control 
list by sending a message to the network element that 
contains the access controller functionality. For exam- 
ple, this message may be sent overthe IP protocol using 
the User Datagram Protocol (UDP). The message in- 
cludes at least the identifier data of the authenticated 
terminal, such as an IP address of the terminal, which 
is to be updated in the access control list. 
[0022] If the terminal device is authenticated accord- 
ing to the second protocol layer, the IEEE 802.1 x proto- 
col (step 1 02) , authentication is first carried out between 
the terminal device and the access point (step 1 08). Af- 
ter a successful authentication according to the IEEE 
802.1 x protocol, the terminal receives an IP address for 
example from the DHCP server, which may be located 
for example at the access point or at the authentication 
agent, or elsewhere in the network (step 109), and the 
access point transmits information about the event to 
the access controller functionality (step 1 06). If the ac- 
cess point contains the access controller functionality, 
then the access point independently updates the access 
control list by internally sending the terminal's informa- 
tion to the access controller functionality. If the access 
controllerfunctionality resides in some other network el- 
ement than the access point, then the access point up- 
dates the access control list by sending a message to 
the network element that contains the access controller 
functionality. For example, this message may be sent 
overthe IP protocol using the User Datagram Protocol 
(UDP). The message includes at least the identifier data 
of the authenticated terminal, such as an IP address or 
a MAC address of the terminal, which is to be updated 
in the access control list. The access controllerfunction- 
ality adds then the information, such as the IP or the 
MAC address of the authenticated terminal device to the 
list it maintains (step 107). This allows the access con- 
troller functionality to relay data packets of the terminal 
(step 110). 

[0023] Even if the access controller functionality is 



separate from the authenticator entity, such as the ac- 
cess point orthe authentication agent, the authenticator 
entity does not necessarily need to send the access con- 
troller explicit information of a successful authentication 

5 if the access controller is able to conclude it otherwise, 
for example in the following manner. In connection with 
authentication, the authenticator entity typically commu- 
nicates with the authentication server, which is further 
inside the network. The communication usually takes 

10 place using what is known as an AAA protocol (Authen- 
tication, Authorization, Accounting), such as the RADI- 
US (Remote Authentication Dial In User Service) orthe 
DIAMETER protocol. If the access controllerfunctional- 
ity functions as RADIUS proxy server and transmits 

15 AAA-protocol messages between the authenticator en- 
tity and the authentication server, the access controller 
functionality obtains information about a successful au- 
thentication already by examining the RADIUS messag- 
es. A problem that arises here in the case of IEEE 

20 802. 1 x authentication is that the access controller needs 
the IP address of the terminal device, which is not yet 
known at the time the authentication succeeds, for the 
list it maintains. However, if the access controllerfunc- 
tionality serves as the DHCP server distributing IP ad- 

25 dresses after 802.1 x authentication, the list can thus be 
updated by combining, atthe access controllerfunction- 
ality, information about the successful authentication, 
the MAC address of the terminal thereby obtained, and 
the successful execution of the DHCP protocol, where- 

30 by an IP address corresponding to the MAC address is 
obtained. 

[0024] Figure 2 shows an access point 200 of an em- 
bodiment of the invention. The access point 200 com- 
prises a processor 201 and memory 202 for executing 

35 the operations in question and at least one application 
203 for carrying out e.g. identifying of an authentication 
method. The access point 200 further comprises an in- 
terface 205 for connecting to the router, to servers, such 
as an access controller, or authentication server, for ex- 

40 ample. The access point further comprises identifying 
means 207 for identifying whether the terminal device 
is using the first or the second authentication method. 
Preferably the access point identifies the authentication 
method by receiving a message from the terminal, said 

45 message indicating the authentication method the ter- 
minal is using. If the terminal employs the open system 
authentication method, the message is preferably an 
authentication request message according to the IEEE 
802.11 standard, said authentication request message 

50 indicates open system authentication. If the terminal 
employs the IEEE 802.1 x authentication method, the 
message is an association request message preferably 
according to the IEEE 802.1 1 i standard. Said associa- 
tion request message comprises an authentication suite 

55 element indicating IEEE 802.1 x authentication. The ac- 
cess pointfurther comprises sending means forsending 
the identifier data of the authenticated terminal to the list 
of the access controller if the terminal device is using 
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the authentication method wherein the access point re- 
lays authentication information between the terminal 
and the authentication server. The access point further 
comprises relaying means 206 for relaying authentica- 
tion information between the terminal device an one of 
the following: the authentication server if the terminal 
device is using the first authentication method, the au- 
thentication agent if the terminal device is using the sec- 
ond authentication method. In cases when the logical 
access control functionality is contained in the access 
point, the access point further comprises access control 
means 208 for relaying data packets of authenticated 
terminals and blocking data packets of unauthenticated 
terminals. 

[0025] A terminal employing the open system authen- 
tication method receives an IP address for use from the 
DHCP server, which may be located at the authentica- 
tion agent or, alternatively, at the access point or else- 
where in the network. The access point 200 relays au- 
thentication messages between the terminal and the au- 
thentication agent, which operates as the authenticator 
entity and authenticates the terminal device by using the 
IP-based authentication method of the third protocol lay- 
er. The authentication agent typically uses the authen- 
tication service provided by the authentication server by 
further relaying the authentication information between 
the terminal device and the authentication server, which 
verifies the authentication information . After the authen- 
tication, the authentication agent sends information 
about a successful authentication and the identifier data 
of the terminal, such as the terminal IP address or MAC 
address, to the access controller, which adds it to the 
access control list and starts to relay the data packets 
of the terminal. 

[0026] When a terminal uses the IEEE 802.1 x proto- 
col for authentication, the access point operates as the 
authenticator entity and authenticates the terminal by 
using the IEEE 802. 1x protocol of the second protocol 
layer. The access point typically uses the authentication 
service provided by the authentication server by relay- 
ing the authentication information between the terminal 
device and the authentication server, which verifies the 
authentication information. The access point sends in- 
formation about a successful authentication and the 
identifier data of the terminal, such as the terminal IP 
address or MAC address, to the access controller, which 
adds the identifier data of the terminal to the access con- 
trol list and starts to relay the data packets of the termi- 
nal. 

[0027] Figure 3 shows the present Nokia Operator 
WLAN system. The system comprises a wireless termi- 
nal device 303, such as a WLAN terminal, being config- 
ured to use the open system authentication in order to 
authenticate itself to the network, an access point 301 , 
for providing a wireless connection from the communi- 
cations device 303 to the network, an access controller 
302 for relaying authentication information between the 
terminal device 303 and an authentication server 307, 



for maintaining an access controller list 309 of authen- 
ticated terminal devices (e.g. terminal device 303) and 
for relaying data packets of said authenticated terminal 
devices included on the list 309. The system further 

5 comprises the authentication server 307 for providing 
an authentication service to an authenticator, such as 
the access point 301 by determining whether the termi- 
nal device is authorized to access the services provided 
by the access point. The system may further comprise 

10 servers, such as a DHCP server 305 for providing an 
IP-address to the terminal device 302 when using the 
open system authentication, an accounting server 306 
for accounting the amount of data transferred to and 
from the terminal device and a router for routing data 

15 packets of the terminal device. 

[0028] When authentication of the wireless terminal 
device according to the third protocol layer, such as the 
open system authentication, is carried out, the terminal 
device 303 associates with the access point 301. Au- 

20 thentication is not carried out at this point yet. An IP ad- 
dress is formed for the terminal device 303 by means of 
the DHCP protocol, for example. Then follows the actual 
third protocol layer authentication. In an embodiment of 
the OWLAN system, for example, the communications 

25 device 303 broadcasts a paging message to page an 
authentication server 307, the message being an- 
swered by the authentication server 307. On the basis 
of the reply message, the terminal device 303 knows 
that the network in question requires IP-based, third pro- 

30 tocol layer authentication between the terminal device 
303 and the access controller 302. The access control- 
ler 302 exchanges authentication messages with the 
authentication server 307. In SIM authentication, for ex- 
ample, the International Mobile Subscriber Identity (IM- 

35 si) is transmitted to the authentication server 307. The 
access controller 302 communicates with the authenti- 
cation server 306 by using an AAA protocol (Authenti- 
cation, Authorization, Accounting), such as the RADIUS 
(Remote Authentication Dial In User Service) orthe Dl- 

40 AMETER protocol. 

[0029] The authentication server 307 obtains GSM 
challenges (GSM challenge is a parameter, i.e. 128 bit 
random number, used in a GSM authentication), and 
sends the challenges to the access controller 302, using 

45 the AAA protocol, which further relays them to the ter- 
minal device 303 using the third protocol layer authen- 
tication protocol NAAP. The terminal device 303 then 
calculates a response value corresponding to the issued 
challenge by using a secret key stored in the SIM card. 

50 The response value is a 32 bit number and the terminal 
device sends the response to the access controller 302 , 
with the third protocol layer authentication protocol. The 
access controller 302 relays the information to the au- 
thentication server 307 with the AAA protocol. The au- 

55 thentication server 307 verifies the response by check- 
ing whether the terminal has calculated a correct re- 
sponse value or not. If the received response is correct, 
the authentication server 307 sends an indication of suc- 



7 



13 



EP 1 330 073 A1 



14 



cessful authentication to the access controller 302 with 
the AAA protocol, which relays the indication to the ter- 
minal 303 with the third protocol layer authentication 
protocol. After the authentication, the identifier data of 
the terminal device 303 is added to the access control 
list 309 by the access controller 302. The access con- 
troller 302 only transmits data packets of the communi- 
cations device whose identifier data, such as an IP or 
MAC address, is found on the list 309. 
[0030] Figure 4 shows a system according to the IEEE 
802. 1x protocol. The system comprises a wireless ter- 
minal device 404, such as a WLAN terminal, configured 
to use the authentication method according to IEEE 
802.1 x protocol in order to authenticate itself to the net- 
work, an access point 401 for setting up a communica- 
tion connection to the terminal device 404 and for relay- 
ing authentication information between the terminal de- 
vice 404 and an authentication server 402. The system 
further comprising the authentication server 402 for pro- 
viding an authentication service to an authenticator, 
such as the access point 401 by determining whether 
the terminal device 404 is authorized to access the serv- 
ices provided by the access point 401 and an accounting 
server 405 for accounting the amount of data transferred 
to and from the terminal device. The system further com- 
prising one or more routers 403 for routing data packets 
of the terminal device 404. 

[0031] The authenticator entity, such as the access 
point 401 , typically communicates with the authentica- 
tion server 402 by using an AAA protocol (Authentica- 
tion, Authorization, Accounting), similarly to the Nokia 
Operator Wireless LAN solution described above in Fig- 
ure 3. When the terminal is successfully authenticated 
the access point relays data packets between the ter- 
minal device 404 and the router 403. 
[0032] Figure 5 shows a system according to an em- 
bodiment of the invention. In the following the invention 
is exemplary illustrated in an environment that compris- 
es a wireless terminal device 303, such as a WLAN ter- 
minal, that can authenticate by using third protocol layer 
authentication method, such as open system authenti- 
cation and a wireless terminal device 404, such as a 
WLAN terminal, that can authenticate by using the au- 
thentication method according to the IEEE 802. 1x 
standard, such as a Wireless LAN terminal that uses the 
IEEE 802.1 1 i standard. The terminals are capable of 
setting up a connection to a communications network, 
which comprises an access point 501, for providing a 
wireless connection from the communications device 
303, 304 to the network and for relaying authentication 
information between the terminal device 404 and an au- 
thentication server 505. The access point comprises a 
logical access controller functionality 502 for relaying 
data packets of the authenticated terminal and blocking 
data packets of unauthenticated terminals, and a list 503 
of authenticated terminal devices. The access controller 
functionality 502 and the list 503 may alternatively be 
located for example in an authenticating agent 504, rout- 



er 508 or somewhere else in the network. The system 
further comprises an authentication agent 504 for relay- 
ing authentication information between the terminal de- 
vice 303 and the authentication server 505. The system 

5 further comprises servers, such as a DHCP server 506 
for providing an IP-address for the terminal device 303, 
an accounting server 507 for accounting the amount of 
data transferred to and from the terminal device, and an 
authentication server 505 for providing an authentica- 
te tion service to an authenticator. The authenticator is one 
of the following: the access point 501 and the authenti- 
cation agent 504. The authentication server 505 deter- 
mines whether the terminal device is authorized to ac- 
cess the services provided by the authenticator. The 

15 system also comprises one or more routers 508 for rout- 
ing data packets of the terminal devices 303, 404. 
[0033] The access point 501 sends messages, such 
as beacon messages according to IEEE 802.11 i or IEEE 
802.11 standard, to the surrounding of the access point. 

20 Said beacon message may comprise authentication 
suite element that further comprises information of the 
authentication method the access point can handle, e. 
g. the authentication method according to the IEEE 
802.11 i standard. A wireless terminal 404 that imple- 

25 mentsthe IEEE 802.11 i standard will recognise that the 
access point supports the IEEE 802. 1x authentication 
protocol. A wireless terminal 303 that does not imple- 
ment the IEEE 802.11 i standard does not process the 
authentication suite element, but it interprets the beacon 

30 message according to the IEEE 802.11 standard and 
hereby recognises that the access point 501 supports 
open system associations. The terminal 303, 304 re- 
ceives the beacon message sent from the access point 
501 . The terminal device 303, 404 may get several bea- 

35 con messages from several access points that are in- 
side the range of the terminal. Alternatively to beacon 
messages, the terminal 303, 404 can also learn of local 
access points by sending messages, such as probe re- 
quest message according to the IEEE 802.11 i standard 

40 or the IEEE 802.11 standard, to all access points inside 
the range of the terminal. When the access point 501 
receives the probe request message the terminal 303, 
404 sends, in response to said probe request, a mes- 
sage, such as probe response message according to 

45 IEEE 802.11 i or IEEE 802.11 standard. The probe re- 
sponse message to the terminal device 404 is sent ac- 
cording to the IEEE 802.11 i standard and it comprises 
the authentication suite element that comprises infor- 
mation of the authentication method. The probe re- 

50 sponse message to the terminal device 303 may be sent 
according to the IEEE 802.11 standard and hence it 
does not need to include the authentication suite ele- 
ment. The terminal 303, 404 receives the probe re- 
sponse message from the access point 501 . The termi- 

55 nal device 303, 404 may get several probe response 
messages from several access points that are inside the 
range of the terminal. 

[0034] After discovering suitable local access points 
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based on beacon messages or probe messages, the 
terminal device 303, 404 selects the access point that 
supports the authentication method the terminal is us- 
ing. The terminal device 404 that supports the IEEE 
802.11 i standard and wishes to use the IEEE 802.1 x au- 
thentication method adds the authentication suite ele- 
ment to the message, such as an association request 
message according to IEEE802.11 i standard. The ter- 
minal device 303 that wishes to use open system au- 
thentication first starts the open authentication by send- 
ing an authentication request message, to which the ac- 
cess point 501 replies with an authentication response 
message indicating success. The open authentication 
is followed by association. The terminal device 303 does 
not include an authentication suite element in the asso- 
ciation messages it sends. After that the terminal 303, 
404 sends the association request message to the ac- 
cess point. On the basis of the authentication or asso- 
ciation request message the access point 501 identifies 
the authentication method the terminal device 303, 404 
is using. 

[0035] When authentication of the wireless communi- 
cation device according to the third protocol layer is car- 
ried out, the communications device 303 associates 
with the access point 501 , authentication being not car- 
ried out at this point yet. An IP address is formed for the 
communications device 303 by means of the DHCP pro- 
tocol, for example. Then follows the actual third protocol 
layer authentication. In an embodiment of the OWLAN 
system, for example, the terminal device 303 broad- 
casts a paging message to page an authentication 
agent 504, the message being answered by the authen- 
tication agent. On the basis of the reply message, the 
communications device 303 knows that the network in 
question requires IP-based, third protocol layer authen- 
tication between the communications device 303 and 
the authentication agent 504. The authentication agent 
504 exchanges authentication messages with the au- 
thentication server 505 using an AAA protocol. The au- 
thentication procedure is similar to the Nokia Operator 
Wireless LAN system described in Figure 3. The au- 
thentication agent 504 receives a notification of suc- 
cessful authentication from the authentication server 
507 by means of the AAA protocol. After the authenti- 
cation, the authentication agent sends the identifier da- 
ta, such as an IP-address, of the terminal device 303, 
to the access controllerfunctionality 502. In this embod- 
iment, the access controller functionality 502 is imple- 
mented in the access point device 501 . The authentica- 
tion agent 504 sends a message to the access point 
501 . For example, the message can be formed using 
the User Datagram Protocol (UDP) over the Internet 
Protocol (IP). The message includes at least the identi- 
fier data of the terminal device 303. Upon receipt of the 
message, the access controller functionality 502 in the 
access point 501 adds the identifier data to the access 
control list 503. The access controller functionality 502 
only relays data packets of the terminal device whose 



identifier data, such as an I P or MAC address, are found 
on the list 503. Authentication musttypically be repeated 
after a specific period of time by the communications 
device, for example if the terminal device is switched off 

5 (due to low battery level), leaves the network (shadow 
region) or automatically discontinues the use of a serv- 
ice. The access controller 502 keeps a record of the du- 
ration of the connection of the communications device 
303 and the number of data packets transmitted/re- 

10 ceived. The access controller 502 sends the information 
to the authentication server 505 orthe accounting server 
507, for example, to serve as a basis for user billing. 
Alternatively, authentication according to the third pro- 
tocol layer can be carried out such that when the user 

15 activates a World Wide Web (WWW) browser, the au- 
thentication agent 504 sends to the browser of the ter- 
minal 303 a page inquiring about the user identification 
and the password, whereby the user is identified and 
added to the access control list 503. Yet alternatively, 

20 authentication according to the third protocol layer can 
be carried out using a Virtual Private Network (VPN) 
software, in which the user authentication is typically 
performed as part of the Internet Key Exchange (IKE) 
protocol. 

25 [0036] In the second protocol layer authentication, the 
communications device 404 and the access point 501 
agree already during the association that they will be 
using WLAN authentication (and not open system au- 
thentication as in the third protocol layer authentication). 

30 The WLAN authentication is carried out as specified in 
the IEEE 802. 1x protocol. After a successful authenti- 
cation, the access controller functionality 502 is in- 
formed of the event and it adds the terminal device 304 
authenticated according to the second protocol layer to 

35 the access control list 503 and starts to relay the packets 
of the authenticated terminal device. Because the ac- 
cess controller functionality 502 is implemented in the 
access point device 501 , the access point 501 is capa- 
ble of locally sending the identifier data of the terminal 

40 to the access controller functionality 502. The access 
control list 503 comprises identifier data of terminals au- 
thenticated according to both the third and the second 
protocol layer. After the second protocol layer authenti- 
cation, the authentication agent 504 does not need to 

45 subject the terminal device 404 to third protocol layer 
authentication any more, because the identifier data of 
the terminal device 404 are already in the list 503. 
[0037] In an alternative embodiment of this invention, 
service differentiation is provided for different classes of 

50 terminal devices. Figure 6 shows a flow diagram of a 
method according to the alternative embodiment of the 
invention. In step 601 an access point, and a terminal 
device, such as a wireless communications device, set 
up a connection and associate with each other. On the 

55 initiative of the access point, the routine then checks 
whether authentication according to the second protocol 
layer or open system authentication according to the 
third protocol layer is concerned. The terminal establish- 
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es communications with the access point by sending an 
authentication or an association request to the access 
point. The request comprises a request to authenticate 
by using the authentication method the device is using. 
In step 602 WLAN access point classifies WLAN clients 
to different classes preferably based on the authentica- 
tion method used by the WLAN clients or based on some 
other parameters that are exchanged during association 
and authentication phase. In step 603 the access point 
relays data packets on the basis of the classification. 
The client class is taken into account when relaying data 
packets between the wireless network and the wired 
network (Distribution System, DS). For example, the au- 
thentication method, which is selected on association, 
may be used to classify users so that open system cli- 
ents are directed to a different Virtual LAN (VLAN) than 
IEEE 802.1x/802.11 i clients. In the 802. 1x case, the ac- 
cess point may further differentiate clients based on the 
realm name portion of the user identity (Network Access 
Identifier, NAI). The realm name identifies the RADIUS 
server that authenticates the user. For example, a cor- 
porate WLAN access point may direct clients that are 
authenticated by the corporate RADIUS server to a dif- 
ferent VLAN than clients that are authenticated by other 
RADIUS servers. Forthe sake of simplicity, the authen- 
tication method (open system or IEEE 802.1 x) is used 
here as an example of the parameter by which the ac- 
cess point classifies wireless terminals into different 
classes. A person skilled in the art will find it apparent 
that the invention is not restricted to terminal classifica- 
tion by authentication method and that there are other 
parameters by which the access point may divide termi- 
nals into separate classes. The access point can use 
any parameter it learns upon communications establish- 
ment as a basis of classification. The parameter may be 
related to the radio technology, authentication or asso- 
ciation or other areas of communication establishment, 
such as the radio frequency band, data rate used by the 
terminal, the Network Access Identifier or a part of it, or 
the Extensible Authentication Protocol (EAP) type used 
in IEEE 802.1 x authentication. 

[0038] Figure 7 shows an access point according to 
an alternative embodiment of the invention. The access 
point 700 comprises a processor 701 and memory 702 
for executing the operations in question and at least one 
application 703 for carrying out e.g. identifying of an au- 
thentication method. The access point 700 further com- 
prises an interface 705 for connecting to the router, to 
servers, such as an access controller, or authentication 
server, for example. The access point further comprises 
identifying means 707 for identifying, upon communica- 
tion establishment, whether the terminal device is using 
the first orthe second authentication method. Preferably 
the access point identifies the authentication method by 
receiving a message from the terminal, said message 
comprising the authentication method the terminal is us- 
ing. If the terminal is using the first authentication meth- 
od, the message is preferably association request mes- 



sage according to IEEE 802.11 i standard, said associ- 
ation request message comprising an authentication 
suite element indicating IEEE 802.1 x authentication. If 
the terminal is using the second authentication method, 

5 the message is preferably authentication request mes- 
sage according to IEEE 802.11 standard, said authen- 
tication request message indicating open system au- 
thentication. The device further comprises classifying 
means 704 for classifying terminals to different classes 

10 based on the identified authentication method. The ac- 
cess point further comprises relaying means 706 for re- 
laying data packets of the wireless terminals between 
the wireless network and the wired network, said relay- 
ing means taking the client class into account by direct- 

15 jng data packets of terminal devices of different classes 
to separate logical channels. The use of different Virtual 
LANs for different terminal classes is an example of how 
to take the terminal class into account when relaying da- 
ta packets. Upon receipt of a data packet from a wireless 

20 terminal, the access point first detects the terminal class 
of the sending wireless terminal preferably based on the 
source MAC address field in the data packet and then 
relays the data packet to the wireless network using the 
Virtual LAN Identifier associated with the terminal class, 

25 so that packets from open system clients are relayed 
using a different Virtual LAN identifier than packets from 
802.1 x clients. Furthermore, upon receipt of a unicast 
data packet from the wired network, the access point 
first detects the terminal class of the destination wireless 

30 terminal, preferably based on the destination MAC ad- 
dress field in the data packet, and then verifies that the 
Virtual LAN Identifier in the data packet is correct, i.e. 
what it should be for the detected terminal class. The 
access point only relays the data packet to the destina- 

35 tion wireless terminal if the packet was received from 
the wired network with the correct Virtual LAN Identifier. 
If the Virtual LAN identifier is incorrect, the access point 
preferably discards the data packet. Upon receipt of a 
multicast or broadcast data packet from the wired net- 

40 work, the access point cannot detect the terminal class 
of a single terminal device, because there may be sev- 
eral destinations. In this case, the access point may still 
process the data packets according to the terminal class 
indicated in the Virtual LAN identifier. For example mul- 

45 ticast or broadcast data frames destined to open system 
clients may betransmitted without encryption or integrity 
protection, whereas IEEE 802.11 i packet security may 
be applied to multicast or broadcast data frames des- 
tined to IEEE 802. 1x clients. 

50 [0039] Alternatively to Virtual LANs, the access point 
may differentiate the data packets based on IP subnet- 
work or IP address range. In this example, the access 
point ensures that the wireless terminal is assigned an 
IP address from the IP subnetwork or range that corre- 

55 sponds to the terminal class identified upon communi- 
cations establishment. Preferably, the access point re- 
lays the DHCP packets sent by the wireless terminal on 
IP configuration phase to a suitable DHCP server based 
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on terminal class, so that the terminal is assigned an 
address from the correct IP subnetwork or IP address 
range. Upon receipt of a data packet from a wireless 
terminal, the access point first detects the terminal class 
preferably based on the source MAC address field in the 
data packet and then verifies that the source I P address 
field (or another protocol field that comprises an IP ad- 
dress) in the received data packet belongs to the correct 
IP subnetwork or IP address range, associated with the 
detected terminal class. The access point only relays 
the data packet to the wired network if this verification 
succeeds. If this verification fails, the access point pref- 
erably discards the data packet. Further, upon receipt 
of a unicast data packet from the wired network, the ac- 
cess point first detects the terminal class preferably 
based on the destination MAC address field, and then 
verifies that the destination IP address field in the data 
packet belongs to the correct IP subnetwork or IP ad- 
dress range, associated with the detected terminal 
class. The access point only relays the data packet to 
the destination wireless terminal if this verification suc- 
ceeds. If this verification fails, the access point prefera- 
bly discards the data packet. Upon receipt of a multicast 
or broadcast data packet from the wired network, the 
access point still be able to detect a correct terminal 
class based on a protocol field comprising an IP ad- 
dress. Different processing, such as different encryption 
or integrity protection, may be applied to multicast or 
broadcast data packets destined to open system clients 
and IEEE 802.1 x clients. For the sake of simplicity, use 
of separate Virtual LANs for different client classes is 
used as an example of how the access point takes the 
terminal class into account when relaying data packets 
between the wireless terminals and the wired network. 
A person skilled in the art will find it apparent that the 
invention is not restricted to the use of different Virtual 
LANs for each terminal class and that there are other 
ways of taking the terminal class into account in relaying 
data packets. Alternatively to Virtual LANs, the access 
point may take the terminal class into account by using 
any method of differentiating data packets into separate 
logical channels, based on terminal class, when relaying 
data packets between the wireless network and wired 
network. Another example of said method is packet tun- 
nelling to different destinations based on terminal class. 
Upon receipt of a data packetfrom the wireless terminal, 
the access point detects the terminal class preferably 
based on the source MAC address field in the received 
packet. The access point then encapsulates the re- 
ceived packet within a new packet. The destination of 
the new packet is chosen based on the terminal class, 
so that different terminal classes are tunnelled to differ- 
ent destinations. The encapsulation is preferably IP en- 
capsulation, wherein the original MAC header is re- 
moved, and the resulting I P packet is encapsulated with- 
in a new IP packet. The IP packet is then forwarded ac- 
cording to the new IP destination address. Correspond- 
ingly, the data packets received from the wired network 



may also be tunnelled. Upon receipt of a data packet 
from the wireless network, the access point detects the 
terminal class preferably based on the source IP ad- 
dress in the outer IP header, when different tunnel start- 
5 ing points are used for each terminal class. The access 
point then decapsulates the tunnelled packet and relays 
the resulting data packet to the destination wireless ter- 
minal. 

[0040] Figure 8 shows a system according to an al- 

10 ternative embodiment of the invention. In the following 
the invention is exemplary illustrated in an environment 
that comprises a terminal device 303 that can authenti- 
cate by using third protocol layer authentication method, 
such as open system authentication and a terminal 404 

15 that can authenticate by using the authentication meth- 
od according to the IEEE 802.1 x standard, such as a 
Wireless LAN terminal that uses the IEEE 802.1 1 i stand- 
ard. The terminals are capable of setting up a connec- 
tion to a communications network, which comprises an 

20 access point 801, for providing a wireless connection 
from the communications device 303, 304 to the net- 
work and for relaying authentication information be- 
tween the terminal device 404 and an authentication 
server 806. The system further comprising access con- 

25 troller 802, that comprises a logical access controller 
functionality for relaying data packets of the open sys- 
tem authenticated terminal and blocking data packets 
of unauthenticated terminals, and a list 803 of authenti- 
cated open system terminal devices. The access con- 

30 troller 802 is relaying authentication information be- 
tween the terminal device 303 and the authentication 
server 805. The system further comprises servers, such 
as a DHCP server 804 for providing an IP-address for 
the terminal device 303, accounting server 805 for ac- 

35 counting the amount of data transferred to and from the 
terminal device, and authentication server 806 for pro- 
viding an authentication service to an authenticator, said 
authenticator being one of the following: the access 
point 801 and the access controller 802, by determining 

40 whether the terminal device is authorized to access the 
services provided by the authenticator, and one or more 
routers 807 for routing data packets of the terminal de- 
vices 303, 404. 

[0041] This example system is arranged such that 
45 network access control for the open system terminal 303 
is implemented in the access controller device 802, and 
network access control forthe IEEE 802.1 x terminal 404 
is implemented in the access point device 801 . The ar- 
rangement is based on data packet classification, in the 
50 access point device 801 , into separate logical channels 
based on terminal authentication method. 
[0042] When a terminal device 303 that uses the open 
system authentication method establishes communica- 
tions with the access point, the access point 801 assigns 
55 the terminal 303 to a terminal class for which the access 
controller 802 employs access control at the third pro- 
tocol layer. By use of Virtual LANs, the access controller 
802 is configured to enforce access control to data pack- 
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ets received with a Virtual LAN Identifier assigned to 
open system terminals. If separate IP sub networks or 
IP address ranges are used to separate data packets 
into logical channels, the access controller 802 is con- 
figured to enforce access control to data packets of ter- 
minals 303 that use an IP address from the IP sub net- 
work or address range of open system terminals. 
[0043] When a terminal device 404 establishes com- 
munications with the access point 801 and authenti- 
cates with the IEEE 802.1 x authentication method, the 
access point 801 assigns the terminal 404 to a terminal 
class for which the access controller 802 does not em- 
ploy access control. With Virtual LANs, it is possible to 
configure the access controller 802 to route data pack- 
ets with the Virtual LAN identifier associated with the 
IEEE 802.1 x terminal 404 without enforcing any access 
control. Alternatively, the Virtual LAN associated with 
the IEEE 802.1 x terminals 404 may employ another 
router device 807 through which the data packets of 
IEEE 802.1 x terminals 404 are routed, so that the data 
packets do not traverse the access controller 802. If sep- 
arate IP sub networks or IP address ranges are used to 
separate data packets into logical channels, the access 
controller 802 may be configured to route data packets 
of terminals 404 that use an IP address from the IP sub- 
network or address range of IEEE 802. Ixterminals with- 
out enforcing access control. 

[0044] The alternative embodiment of the invention 
according to figures 6 to 8 makes it possible to use the 
same WLAN radio network for several purposes. The 
same radio network can serve legacy WLAN clients, 
such as OWLAN release 1 clients that use open system 
authentication, and new WLAN clients that use the new 
IEEE standards, such as OWLAN release 2 clients that 
use IEEE 802. 1x authentication. An extreme access 
point implementation of this invention could look like two 
separate access points to the wireless clients. One of 
the "virtual" access points would allow open system as- 
sociations and the other access point 802. 1x associa- 
tions. A simpler implementation would look like a single 
access point but it would support both open association 
and 802. 1x association. 

[0045] Another object for the alternative embodiment 
are protected networks that are currently built on Virtual 
Private Network (VPN) technology, such as corporate 
networks. An access point that implements this inven- 
tion would be able to route open system clients to the 
existing LAN which is separated with a VPN gateway 
from the protected network. Open system clients will 
therefore need to establish a VPN connection in order 
to access the protected network. The access point could 
route IEEE 802.11 i clients to a different Virtual LAN, 
which has direct connectivity to the protected network. 
Hence, this invention provides a managed deployment 
path from the current corporate WLAN solution to the 
new IEEE 802.11 i solution. 

[0046] In another example system employing the al- 
ternative embodiment of this invention, the terminal 



classification in the access point device can be used to 
direct data packets of terminal devices that use open 
system authentication to an uncontrolled network, on 
which no access control is enforced. Said uncontrolled 

5 network may be a local Intranet or other network with 
limited and free resources that are available to anyone. 
In this example, the data packets of terminal devices 
that use IEEE 802.1 x authentication are directed to a 
controlled network, such as the global Internet. Said 

10 controlled network is such that it is only available to ter- 
minals that authenticate using the IEEE 802. 1x authen- 
tication method. 

[0047] Advantages of the alternative embodiment de- 
scribed above are: a single WLAN radio network is able 
15 to securely support both legacy and new WLAN clients, 
legacy and new WLAN clients may use different IP sub 
networks and different services, no support required in 
wireless stations. 

[0048] The invention is not restricted to open system 

20 authentication and authentication according to 
IEEE802.11 i protocol or the IEEE 802. 1x protocol. The 
first embodiment of the invention can be used in any 
such system wherein a terminal can access to network 
by using an access point or authentication agent as an 

25 authenticator. The second embodiment of the invention 
can be used in any such system wherein it is advanta- 
geous to provide different service to different terminal 
classes, said terminal class identified based on a pa- 
rameter of the communication establishment. 

30 [0049] The above disclosure illustrates the implemen- 
tation of the invention and its embodiments by means 
of examples. A person skilled in the art will find it appar- 
ent that the invention is not restricted to the details of 
the above-described embodiments and that there are 

35 also other ways of implementing the invention without 
deviating from the characteristics of the invention. The 
above embodiments should thus be considered as illus- 
trative and not restrictive. Hence the possibilities of im- 
plementing and using the invention are only restricted 

40 by the accompanying claims and therefore the different 
alternative implementations of the invention, including 
equivalent implementations, defined in the claims also 
belong to the scope of the invention. 



1 . A method for relaying data packets of a wireless ter- 
minal device in a communication network, the net- 
work comprising; 

an access point for setting up a communication 
connection to the terminal device, 
an access controller for relaying authentication 
information between the terminal device and an 
authentication server, 

an authentication server for providing an au- 
thenticating service for the terminal device to 
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minal device class. 

9. A method according to claim 8, characterized in 

that the access point only relays data packets for 
5 which said verification is successful and discards 

data packets for which said verification is unsuc- 
cessful. 



authenticate to the network, 
the terminal device being configured to use one 
of the following authentication methods in order 
to authenticate itself to the network: a first au- 
thentication method wherein the access point 
relays authentication information between the 
terminal device and the authentication server, 
a second authentication method wherein the 
access controller relays authentication infor- 
mation between the terminal device and the au- 
thentication server, 

the method comprising establishing a commu- 
nication connection between the terminal de- 
vice and the access point, 

characterized by the method further com- 
prising the steps of 

identifying at the access point a parameter re- 
lating to the step of establishing the communi- 
cation connection, 

classifying the terminal device on the basis of 
the identified parameter and 
directing data packets of terminal devices of dif- 
ferent classes to separate logical channels. 

2. A method according to claim 1 , characterized in 

that the identified parameter is the authentication 
method used by the terminal. 

3. A method according to claim 2, characterized in 

that the authentication method is one of the follow- 
ing: an open system authentication and an authen- 
tication according to 802.1 x protocol. 

4. A method according to claim 1 , characterized in 

that the identified parameter is one of the following: 
the Network Access Identifier, part of the Network 
Access Identifier used by the terminal device, fre- 
quency band, data rate, used radio technology of 
the terminal device, . 

5. A method according to claim 1 , characterized in 

that the separate logical channels are one of the 
following: Virtual LANs, IP sub networks and IP ad- 
dress ranges. 

6. A method according to claim 5, characterized in 

that the access point ensures that the terminal de- 
vice is assigned an IP address from the correct IP 
sub network or IP address range. 

7. A method according to claim 1 , characterized in 

that the separate logical channels are tunnels. 

8. A method according to claim 1 , characterized in 

that the access point verifies for data packets that, 
the logical channel used, matches the identified ter- 



10. A method according to claim 1, characterized in 

10 that the access point applies different security 
processing to data packets of different terminal de- 
vice classes. 

11. An access point (700) for setting up a communica- 
15 tion connection to a terminal device in a network, 

said network comprising: 

an access controller for relaying authentication 
information between the terminal device and an 
20 authentication server, 

an authentication server for providing an au- 
thenticating service for the terminal device to 
authenticate to the network, 
said access point comprising 
25 establishing means (701-703, 705) for estab- 

lishing a communication connection between 
the terminal device and the access point, 

characterized in that the access point is config- 
30 ured to accept the terminal device to use one of the 
following authentication methods in order to au- 
thenticate itself to the network: a first authentication 
method wherein the access point is configured to 
relay authentication information between thetermi- 
35 nal device and the authentication server, a second 
authentication method wherein the access point is 
configured to relay authentication information be- 
tween the terminal device and an authentication 
agent, whereby the access point further comprises 

40 

identifying means (707) for identifying a param- 
eter relating to the establishment of the com- 
munication connection, 

classifying means (704) for classifying the ter- 
45 minal device on the basis of the identified pa- 

rameter and 

directing means (701-703, 705, 706) for direct- 
ing data packets of terminal devices of different 
classes to separate logical channels. 

50 

12. An access point according to claim 11 , character- 
ized in that said identifying means are arranged to 
identify the parameter in response to detecting one 
of the following: authentication method used by the 

55 terminal device, the Network Access Identifier or 
part of the Network Access Identifier used by the 
terminal device, frequency band, data rate and 
used radio technology of the terminal device. 
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13. An access point according to claim 11 , character- 
ized in that said directing means are arranged to 
use one of the following as said separate logical 
channels: Virtual LANs, IP sub networks and IP ad- 
dress ranges. 

14. An access point according to claim 11 , character- 
ized in that the access pointfurthercomprising ver- 
ifying means for verifying data packets that, the log- 
ical channel used, matches the identified terminal 
device class. 

15. An access point according to claim 11 , character- 
ized in that the access point is arranged to only re- 
lay data packets for which said verification is suc- 
cessful and discards data packets for which said 
verification is unsuccessful. 

16. A method for access control of a wireless terminal 
device in a communication network, the network 
comprising 

an access point for setting up a communication 
connection to the terminal device, 
an authentication agent for relaying authentica- 
tion information between the terminal device 
and an authentication server, 
a logical access controller functionality for re- 
laying data packets of the authenticated termi- 
nal device and blocking data packets of unau- 
thenticated terminal devices, the logical access 
controller functionality further comprising a list 
of authenticated terminal devices, 
an authenticating server for providing an au- 
thenticating service for the terminal device to 
authenticate to the network, 
the terminal device being configured to use ei- 
ther of the following authentication methods in 
order to authenticate itself to the network: a first 
authentication method wherein the access 
point relays authentication information be- 
tween the terminal device and the authentica- 
tion server, a second authentication method 
wherein the authentication agent relays au- 
thentication information between the terminal 
device and the authentication server, charac- 
terized by the method comprising the steps of 

identifying at the access point whether the 
terminal device is using the first or the sec- 
ond authentication method, 
whereby if the terminal device authenti- 
cates by using the first authentication 
method, performing the steps of: 

the access point relaying authentica- 
tion information between the terminal 
device and the authentication server, 



the access point sending the identifier 
data of the terminal device, in re- 
sponse to successful authentication, 
to the list of the access controller func- 

5 tionality, 

the access controllerfunctionality add- 
ing the identifier data of the authenti- 
cated terminal device to the list and re- 
laying data packets of the terminal de- 

10 vice included on the list and 

if the terminal device authenticates by 
using the second authentication meth- 
od, performing the steps of: 
the access point relaying authentica- 

15 tion information between the terminal 

device and the authenticating agent, 
the authentication agent relaying au- 
thentication information between the 
terminal device and the authentication 

20 server, 

the authentication agent sending the 
identifier data of the terminal device, in 
response to successful authentication, 
to the list of the access controller func- 

25 tionality, and 

the access controllerfunctionality add- 
ing the identifier data of the authenti- 
cated terminal device to the list and re- 
laying data packets of the terminal de- 

30 vice included on the list. 

17. A method according to claim 16, characterized in 

that the access controller functionality is imple- 
mented as part of the access point device. 

35 

18. A method according to claim 16, characterized in 

that the access controller functionality is imple- 
mented as part of the authentication agent device. 

40 19. A method according to claim 16, characterized in 
that the access controller functionality is imple- 
mented in a device separate from the access point 
and the authentication agent. 

45 20. A method according to claim 16, characterized in 

that the identifier data comprises at least one of the 
following: the IP address and the MAC address of 
the terminal device. 

50 21. A method according to claim 16, characterized in 
that the first authentication method is performed ac- 
cording to IEEE 802.1 X protocol. 

22. A method according to claim 21 , characterized in 

55 that the first authentication method is performed ac- 
cording to IEEE 802.11 i protocol. 

23. A method according to claim 16, characterized in 
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that the second authentication method is per- 
formed over the Internet protocol. 

24. A method according to claim 23, characterized in 

that the second authentication method is per- 
formed according to one of the following: the inter- 
net key exchange protocol and the hypertext trans- 
fer protocol. 

25. A method according to claims 21 to 24, character- 
ized in that the access point identifies the authen- 
tication method by receiving an association request 
message from the terminal device. 

26. A method according to claim 25, characterized in 

that the association request message comprising 
an authentication suite element, said authentication 
suite element further comprising the information of 
the authentication method the device is using. 

27. A method according to any one of claims 1 7 to 26, 
characterized in that the method further compris- 
es renewing the authentication after a time period. 

28. An access point (200) for setting up a communica- 
tion connection to a terminal device in a network, 
said network comprising 

an authentication agent for relaying authentica- 
tion information between the terminal device 
and an authentication server, 
a logical access controller functionality for re- 
laying data packets of authenticated terminal 
devices included on a list and blocking data 
packets of unauthenticated terminal devices, 
an authenticating server for providing an au- 
thenticating service for the terminal device to 
authenticate to the network, characterized in 
that the access point is configured to accept 
the terminal device to use one of the following 
authentication methods in order to authenticate 
itself to the network: a first authentication meth- 
od wherein the access point is configured to re- 
lay authentication information between the ter- 
minal device and the authentication server, a 
second authentication method wherein the ac- 
cess point is configured to relay authentication 
information between the terminal device and an 
authentication agent, whereby the access point 
comprises 

identifying means (207) for identifying 
whether the terminal device is using the 
first or the second authentication method, 
first relaying means (201 , 205, 206) for re- 
laying authentication information between 
the terminal device and the authentication 
server if the terminal device was identified 



to be using the first authentication method, 
first sending means (201 , 205) for sending 
identifier data of the terminal device, in re- 
sponse to successful authentication of the 

5 terminal device according to the first au- 

thentication method, to the list of the ac- 
cess controller functionality, 
second relaying (201 , 205, 206) means for 
relaying authentication information be- 

10 tween the terminal device and the authen- 

tication agent if the terminal device was 
identified to be using the second authenti- 
cation method and 

second sending means (201, 205) for 
15 sending identifier data of the terminal de- 

vice, in response to successful authentica- 
tion of the terminal device according to the 
second authentication method, to the list of 
the access controller functionality.. 

20 

29. An access point according to claim 28, character- 
ized in that the identifying means are arranged to 
identify the authentication method by receiving an 
association request message from the terminal de- 

25 vice. 

30. An access point according to claim 29 character- 
ized in that the identifying means are arranged to 
detect an authentication suite element from the as- 

30 sociation request message, said authentication 
suite element the information of the authentication 
method the device is using. 

31. An access point according to claim 28 character- 
35 ized in that the detecting means are arranged to 

detect successful authentication of the terminal de- 
vice using said first authentication method by re- 
ceiving a message from the authentication server. 

40 32. An access point according to claim 28, character- 
ized in that the detecting means are arranged to 
detect successful authentication of the terminal de- 
vice using said second authentication method by re- 
ceiving a message from one of the following: the 

45 authentication agent or the authentication server. 

33. A system for access control of a wireless terminal 
device (303, 304) in a communication network, the 
network comprising: 

50 

an access point (501) for setting up a commu- 
nication connection to the terminal device, 
an authentication agent (504) for relaying au- 
thentication information between the terminal 
55 device (303) and an authentication server 

(505), 

a logical access controller functionality (502) 
for relaying data packets of the authenticated 
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terminal device and blocking data packets of 
unauthenticated terminal devices, the logical 
access controller functionality further compris- 
ing a list (503) of authenticated terminal devic- 
es, 5 
an authenticating server (505) for providing an 
authenticating service for the terminal device 
(303, 404) to authenticate to the network, 
the terminal device (303, 304) being configured 
to use one of the following authentication meth- 10 
ods in order to authenticate itself to the net- 
work: a first authentication method wherein the 
access point (501) relays authentication infor- 
mation between the terminal device (404) and 
the authentication server (505), a second au- 15 
thentication method wherein the authentication 
agent (504) relays authentication information 
between the terminal device (303) and the au- 
thentication server (505), characterized in 
that the system comprises: 20 

identifying means for identifying at the ac- 
cess point (501) whether the terminal de- 
vice (303, 404) is using the first or the sec- 
ond authentication method, 25 
first relaying means for relaying at the ac- 
cess point (501) the authentication infor- 
mation of the first authentication method 
between the terminal device (404) and the 
authentication server (505), 30 
second relaying means for relaying infor- 
mation between the terminal device (303) 
and the authentication agent (504), 
third relaying means at the authentication 
agent (504) for relaying authentication in- 35 
formation of the second authentication 
method between the access point (501) 
and the authentication server (505), 
first sending means for sending from the 
access point (501 ) identifier data of the ter- 40 
minal device (404), in response to suc- 
cessful authentication of the terminal de- 
vice according to the first authentication 
method, to the list (503) of the access con- 
troller functionality (502), 45 
second sending means for sending from 
the authentication agent (504) the identifier 
data of the terminal device (303), in re- 
sponse to successful authentication of the 
terminal device according to the second 50 
authentication method, to the list (503) of 
the access controller functionality (502) 
and 

relaying means at the access controller 
functionality (502) for relaying data packets 55 
of the terminal device (303, 404) included 
on the list. 
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ABSTRACT: 

CHG DATE=20030902 STATUS=0> A method and device 
for routing data packets (110) of a wireless 
terminal device in a communication network. When 
Open system Authentication is used (103) the 
system operates similarly as the current Nokia 
Operator Wireless LAN system, in which the 
terminal device and the access controller are the 
parties involved in the authentication (105). The 
accesss controller relays information relating to 
the authentication between the terminal device and 
an authenticating server, and it is capable of 
updating independently the list of users it 
maintains. When authentication according IEEE 
802. IX authentication (102), the access point 
operates according to the IEEE 802. IX standard 

(108), serving as the authenticating party and 
relaying information relating to the 
authentication between the terminal device and the 
authentication server. In addition, the list 
maintained by the access controller is updated 

(107) after a successful authentication, for 
example by the access point or the authenticating 
server. ? 
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